Vulnerability Management: Are You a Control Freak?

Similar to risk preferences, I’ve noticed that people have differing preferences about how much they want to be in control of things. Some people are just total control freaks, while others just “go with the flow”.

I suppose it depends on what the “thing” is that we do or don’t have control over that determines how comfortable we are with our level of control. For me, some things that I absolutely want control over are driving (I usually stomp the invisible passenger side brake when I ride shotgun) and booking my travel (god forbid I end up in a middle seat).

On the other hand, I couldn’t care less about having the TV remote control at home – my daughter knows I won’t mind another episode of My Little Pony – and I certainly don’t mind giving control over my monthly bills to autopay – I’d probably be bankrupt from late fees if I didn’t.

One area where the idea of control comes up is cloud computing. As more and more IT solutions move to the cloud, I find it interesting how people and organizations also have varying levels of comfort over the tradeoff between convenience and control.

Cloud solutions obviously have a lot to offer—fast implementation, less or no hardware to deal with, and the ability to “pay as you go” instead of up-front costs. These benefits involve a tradeoff in terms of control—less control over how and where data is stored, control over when updates are applied, and control over fixing things when they break instead of relying on a third party.

For security and vulnerability management solutions, the stakes are even higher when dealing with sensitive information about your network.

For example, vulnerability management solutions contain information on how an attacker could best compromise your network including information on what machines to attack, how to attack them, and often times the administrative usernames and passwords that provide unlimited access to the network.

While of course there are controls and security in place to prevent unauthorized access to data stored on cloud solutions, there is still the question of control and how comfortable you and your company are trusting that level of control to a 3rd party.

In the end, it’s likely that the policies and culture of your organization will impact decisions on the tradeoffs between potential benefits vs. loss of control and the related impact on security.

If you’re facing the question of control for an existing vulnerability management program, I have a resource you might be interested in: